1. Field of the Invention
This invention relates generally to systems and methods for information communication. More particularly, the present invention relates to systems and methods for safeguarding such information and for identifying such safeguarded information within communications. Most particularly, the present invention relates to steganography and steganalysis technologies.
2. Description of Related Art
Various techniques have been provided to selectively safeguard communications. These techniques include, for example, cryptography, steganography, and covert channel communications. Cryptography typically seeks to hide the contents of a message without hiding the existence of the message itself. For example, an encrypted message may appear to a casual observer as a collection of garbled text, with no discernible meaning. Steganography, however, seeks to hide the very existence of a message from those other than its intended recipient. Typically, in a steganographic communication, a covert message is disguised within a common, readily viewable message, thus transfer of the common message is permitted without interception, since the transfer appears benign to a casual observer. A distinction might be made between steganography and covert channel communications, wherein covert channels never intended for information flow are exploited by a process to transfer information in a manner that may violate the system's security policy. As such, if any reasonably knowledgeable person observed the transfer, it would be construed as a violation of the security policy and, typically, measures would be taken to shut down the communications. For purposes of this discussion, the terms “steganography”, “covert channel communications”, “covert communications”, and “embedded communications” may be used interchangeably to indicate the intentional concealment of information or data from a group or class of observers or recipients, the concealed information or data are transmitted, for example, during or coexistent with an overt communication process.
Modern digital communications present ample opportunity for safeguarding information via covert communications. These methods include chaffing and winnowing and the exploitation of covert channels used in the layers of the TCP/IP network model. The method of “chaffing and winnowing” provides for the transmission of digital message traffic along with an appropriate Message Authentication Code (MAC), which may be added by various mechanisms within the network model. Transmitted along with the desired message and its correct MAC are a large number of other messages, each with an incorrect MAC, preventing eavesdroppers from ascertaining which message is the correct one. This technique, however, merely obscures the content being transmitted, and fails to address the key tenet of steganography; i.e., the fact that some sort of covert communications is occurring. Thus, if the desired message were translated from its binary or hexadecimal values into actual text, an observer would readily note the occurrence of some sort of covert communications. Deletion of the message by the observer would serve to foil the scheme, whether or not the observer was able to ascertain the actual contents of the message.
Covert channels of communications in the network layers of a communication system such as a wide-area network (WAN) or a local area network (LAN) may also be utilized. Various layers such as the physical, the link, the network, the transport, the application, or various combinations of the preceding, may be used. For example, the physical layer of the TCP/IP network is used to interface the higher layers of the network model with the physical medium that transfers the information from computer to computer. This layer contains the hardware necessary to effect transmission and handles the timing and control of the signals that are passed between computers.
One technique used at the physical layer uses control signals in a point-to-point connection to transmit hidden information. In normal operations of a serial link or dial-up circuit, data flow can be controlled by the use of the Clear To Send/Ready To Send (CTS/RTS) signal pair. If the CTS/RTS signals can be manipulated with minimal disruption to the actual data flow, then a second communications channel can be opened, using the CTS/RTS signal as the data waveform. In the first scenario, the CTS/RTS signal provides for uninterrupted data flow between the two linked systems. In the second scenario, although it appears to an observer that the data flow is controlled by a standard handshake routine, the CTS/RTS signal is actually a covert channel, transmitting a predetermined code; for example, standard Morse code. This technique is only applicable to serial link communications, however, and does not readily lend itself to TCP/IP network communications.
Another technique at the physical layer involves manipulation of the collision control functions of Ethernet networks. In an Ethernet network, a jamming signal is transmitted over the network whenever a collision occurs between two segments of data. Both of the sending parties stop transmitting for a random period of time. This functionality can be utilized in conjunction with a covert channel according to the following: a transmitter of hidden information deliberately jams another party on the network, signaling that a bit of hidden information is next to be transmitted. Rather than waiting the random period of time before retransmission, however, the next data packet is either sent immediately (to signal a zero) or after the maximum delay, thus after the other party retransmits (to signal a one). Unlike the previously described CTS/RTS technique, the collision manipulation technique takes place over a shared network, thus the recipient of the hidden information is not limited to a specific computer system. The actual data in the transmitted packets are real, overt data to any other host on the network. The collision timing signals the hidden information. Additionally, the other party used in the signaling scheme does not share in the hidden information, but functions as a pawn in the scheme. This method, however, transmits very little information at a time, thus inhibiting effective covert communications.
At the data link layer, or link layer, steganography, or data hiding, begins to have an impact on covert communications. The link layer primarily shapes the higher-layer packets into a format for easy transmission over the physical layer and minimizes data corruption during send/receive operations to/from the physical layer. At this layer, and at all layers above this layer, there are opportunities to insert hidden information directly into the data stream without adversely affecting the overtly transmitted data. One technique involves padding Ethernet frames to meet a minimum length. Ethernet frames must contain at least 46 bytes of user data to be transmitted correctly. If the data are shorter than 46 bytes, pad bytes are inserted to meet that minimum. Hidden data could be inserted where the pad bytes are normally inserted by the transmitter and subsequently stripped off for the receiver to read. The amount that can be transmitted is dependent on the amount of valid information within the packet provided by higher layers, thus throughput may be significantly limited by transmissions of relatively small amounts of covert data.
The network layer proves the delivery mechanism for packets arriving from the link and transport layers. It appends source and destination information onto the higher layer data to ensure correct delivery and receipt of the packets. It is within this appended information that data hiding can occur. A number of techniques might be used to hide data at this layer, including insertion of the hidden information directly into the unused or reserved spaces within the IP header. Unused space within the IP header currently consists of two bits within the IP Type of Service (TOS) field. Although the considerable number of IP packets transiting a network would provide ample opportunity for covert communications, the throughput is rather limited.
Another technique at the network layer involves use of the IP header space for hidden information transfer. Rather than limiting use of space to just two bits, as seen with use of the TOS field, the identification field within the IP header might be modified to contain valid, covert information. An example of this is insertion of an ASCII character, multiplied by 256, into the identification field. The intended recipient of the covert information would need only to read the identification field and divide by 256 to ascertain the hidden message. As this file is used when fragmenting packets, however, prudent use dictates that each IP packet remains small enough to avoid fragmentation, thus limiting covert communications to some extent.
The transport layer provides data delivery to different applications within a host, and provides error control of the data that are transmitted and received. One steganographic technique at this layer relates to the concealment of information within the TCP header. The TCP header reserves six bits between the four-bit header length field and the TCP header flags, which may be used to hide data. Also, the 32-bit sequence number field used to transfer data may be used to transfer covert information. This method takes advantage of use of the sequence number field to identify an Initial Sequence Number (ISN) during the establishment of TCP connections. Rather than setting the ISN to a host-generated or arbitrary number, the ISN can be modified to denote special information (in numeric form). Since the ISN is 32 bits long, a significant amount of information can be transferred. This particular use of the sequence number field, however, is limited to connection establishments (SYN segments). While several SYN segments may be sent, rapid succession of these segments would undoubtedly attract notice, which is a violation of the notion of steganography.
The application layer facilitates interaction between the user and the host computer/network. This layer typically handles the details of individual applications and passes necessary information to the transport layer for further network action. Since the transport layer does not differentiate between types of data received from the application layer, a great amount of covert communication takes place here, primarily in the form of cryptography and steganography. In the area of networking, applications such as Hypertext Transfer Protocol (HTTP) can be exploited to carry a variety of different types of files with hidden information. For example, means of transferring hidden data may be accomplished via word processing files, where one space between adjacent words signals a zero, and two spaces signals a one, the series of ones and zeroes forming a covert message.
Another available technique in web data hiding is the insertion of various formatting tags in or around the cover media. Image and audio files may also be used. Image and audio files are inherently noisy, thus there is a significant amount of information mixed in with the data that has no significant impact on the transmission or interpretation of the cover media. For example, this can be clearly observed in most raster or bit-mapped images that are compressed under the Joint Photographic Experts Group (JPEG) image compression standard. In many cases, this noise is simply standard Gaussian white noise that is prevalent in all but images of the highest resolution. This noise can be easily replaced with embedded information, with the resulting image generally appearing to casual observers as an identical image to the cover image.
Audio files also have significant capacity for hidden information. The typical human capacity for hearing is in the range of 4 kHz to 20,000 kHz. In the interest of space conservation, most audio clips are sampled at a rate that allows clear transmission of the intended signal (the audio) without using the entire bandwidth. As a cover medium, the audio files can hide large amounts of information, depending on the relative amplitude and temporal characteristics of the cover media and the information to be embedded. If the information to be embedded can be quantified and sampled at a significantly higher rate than the cover media, the hidden messages (stego-messages) can conceivably carry huge amounts of data. With pure tones, for example, a steganography user should be able to manipulate one sample in 8000. With classical music, one sample in 1800 may be sufficient to hide information without degrading the cover signal.
Video files also present an opportunity to embed significant amount of information into a cover medium. In the case of video, the steganography user has the option of using the visual cover media, the audio cover media, or both to transfer the hidden information. Depending on the level of compression of the audio and video, the capacity for inclusion of hidden information in video files is increased significantly. If the compression is low, the amount of space available to embed information is greater.
Though the amount of data at the application layer is limited only by the amount of “real” data available in which to hide the cover data, a significant increase in the file size would most certainly alert an observer to the possibility of hidden data with the files. Similarly, while a graphics file can accommodate approximately half of its size in hidden information, modern graphics embedded in web pages are compressed to a great extent to expedite the download of files.
Further, the aforementioned schemes fail to provide for data robustness. For example, in the data link layer and network layer protocols, the information is sent without any requirement for retransmission if the data is invalid. Therefore, errors in the covert data within these layers would render the information useless. To prevent such an occurrence, error-correcting codes are typically used. Depending on the code used, however, this presents a significant increase in the amount of covert data to be transmitted, with a resulting decrease in overall covert data throughput.
Overt data transmission at the transport layer is considered reliable due to various error-correcting mechanisms within the protocol, including use of sequence numbers and a checksum that covers the data as well as the TCP header. Additionally, the application layer may contain error correction mechanisms that will force a retransmission of the data if it is corrupt. None of the previously described systems and methods defines means for handling errors within the covert data and methods for retransmissions of covert data.
What is needed, then, is a robust system and method for provision of embedded communications via various networks, including wide area networks (WANs) such as the Internet. It is further desirable to provide such a system and method whereby the embedded communications embody optimal performance characteristics, including throughput, error detection and correction, and maintenance of quality of the associated real data and the embedded data. It is also desirable to provide such a system and method that can avoid detection of the embedded data or information by casual observers of related processes and by unintended parties to the communication. Finally, it may be desirable to provide a counter method and system for detecting and blocking the unwanted covert communications of others.